Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ChEd
New Contributor

Virtual IP inbound NAT using wrong IP going outbound

Hello All, Following a thread I posted recently related to routing the same firewall is giving me problems with a NAT (fortigate 200B, running v4.0,build0639,120906 (MR3 Patch 10)) I am struggling to find a reason why a server with inbound NAT configured using a VIP (for email to flow inbound) is not going out on the same interface it came in on. My understanding is that if I NAT something inbound then it should use the same external IP on the VIP to go outbound? So if I have set it to use a specific external IP coming inbound on port 12 it should show that IP as its IP if it makes an outbound connection? The email server makes outbound connections to mimecast for sending mail and its locked to a specific IP. I have seen this work fine on other fortigates but this one is showing it as using port 9 going out which shouldn' t happen with a server running on a VIP right? The weird thing is its still accepting connections inbound for RDP/email etc. just fine but I had to use a policy route to force it to use the correct interface to go out to mimecast and when I do this the IP when you telnet the mimecast servers is the correct one that I have set as the external IP on the VIP. Here is the setup: port12 -> internal - this has the VIP on it but when the server goes outbound its using port 9?! The firewall in question does have multiple routes out to the internet but I am getting reports that the internet speed is not great for users but its just doing source IP based ECMP so perhaps its just hitting port 9 a lot since this is the first route to the internet in its routing table?
10 REPLIES 10
micahawitt
New Contributor III

Ched, if im reading this right, lets say you have a block of ips. 1.1.1.1-1.1.1.5. your saying that if you have an inbound vip of 1.1.1.2 to point to something internal, it should go out 1.1.1.2, instead its going out 1.1.1.1 (default outbound for argument sake.) Typically what i do, is in the IP pool section create your static outbounds, for example 1.1.1.1 = outbound clients 1.1.1.2 = outbound fortimail 1.1.1.3 = outbound x your default for all traffic i assume is port 9. to change this, make a new policy for your inbound to go outbound. so, if 1.2 is inbound, make a firewall object for that one internal vip you have. Then make your policy... source internal firewall object port 12 all nat, dynamic ip pool, and then choose your outbound fortimail. that should fix your issue, attached i have a pic of mine to help
ChEd
New Contributor

Thanks micahawitt. Yes you understood what I was trying to say. I don' t normally use IP pools when choosing NAT on an outbound policy, normally I leave it set to use destination interface address. I did actually have a firewall policy like you described set (but using destination interface address on the NAT setting) but it was preventing some machines on the LAN accessing the internet that was revealed when I did a packet trace from the CLI. It probably relates to the fact this thing has 8 routes out to the internet and port 9 is the first entry in the static routing table, hmmm.
micahawitt
New Contributor III

well... if you move the policy higher up in the list for your single outbound nat with ip pool, your routing table shouldnt affect to much for your default clients. Anything default for clients, make sure it is that last one possible.
ChEd
New Contributor

I did try to move the policy up but it refused because I am using a zone to group some interface mode IPsec tunnels together. It comes up with this: " Moving a policy from one interface/zone pair to a different interface/zone pair is not permitted." If I wanted to move it up would I have to take out the IPsec tunnels in the zone that are terminated on the port that relates to the policy that I am trying to move?
micahawitt
New Contributor III

Ahhhh so, when i say move up, i mean look at the actual ID of the policy. You might have to add that column in to see. Yea moving from one zone to another wont work. so with in then zones of your port to port policies, example, port12 --> wan1, and for all zones for that matter typically i do vpn(ssl and ipsec) first in order, then your specific vips outbound, then lastly client stuff (least important.) but with in the zones, again, make sure you can see that ID column, and move that vip to and id previous to the last id. i got this messed up when i first started on fortigates..
ChEd
New Contributor

Thanks again but I do have the ID column shown, I remember going from the older green interface to the new look and wondered where the ID had gone to :) Perhaps if I try to shuffle the VPN zone around it might then let me move the firewall policies that relate to outbound internet access?
micahawitt
New Contributor III

if you are within a zone, say port12 to wan1, then you should be able to shuffle them around. If not, then i would leave tunnels as they are, then you would probably have to delete the non tunnels, and recreate them as needed. it really depends on how it is setup and the overall goal. Sometimes i have put myself in a pickle with that and realized i had to recreate all my policies becuase of poor planning on my part on how i wanted things to flow. as i think about this a little more clearly, the only thing that should change is the fact that you added an ip pool to your one policy. as long as your default outgoing port, port9 it sounds like houses all your external ips, then you should be ok. the move the id up one from the default outgoing and add the ippool outbound nat. otherwise, delete that one policy, recreate it on port12 to wan1, set the outbound ip pool and should be good to go. then all the other policies can stay as is.
ChEd
New Contributor

It' s looking like I might have to re-create some policies on this thing to try to get it to behave how I need it to. I inherited this config (I converted the config from a 200A to this 200B) and its not ideal now so I might try to shape the interface that it uses for internet traffic using priorities on the static routes out to the internet. Thanks for your advice :)
micahawitt
New Contributor III

NPS!! Good luck!!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors